Why I’ve just ditched my cloud-based password manager

TL;DR: I’ve ditched LastPass in favour of LessPass. The former stores your passwords in the cloud and requires a master password. The latter uses ‘deterministic password generation’ to keep things on your own devices.

Although I’ve used LastPass for the past six years, I’ve never been completely happy with it. There have been breaches, and a couple of years it was acquired by LogMeIn, a company not exactly revered in terms of trust and customer service. Their ’emergency break-in’ feature makes me feel that my passwords are just one serious hack or government request away.

I read Hacker News on pretty much a daily basis and I’m particularly interested in the underlying approaches to technology that change over time. There are certain assumptions and habits of mind that come to be questioned which lead to different, usually better, solutions to certain problems. Today, the issue of cloud-based password managers was again on the front page.

From the linked article:

When passwords are stored, they must be encrypted and then retrieved later when needed. Storage, of any type, is a burden. Users are required to backup stored passwords and synchronize them across devices and implement measures to protect the stored passwords or at least log access to the stored passwords for audit purposes. Unless backups occur regularly, if the encrypted password file becomes corrupt or is deleted, then all the passwords are lost.

Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.

Also:

I believe that password management should only occur locally on end use devices, not on remote systems and not in the client web browser.

Remote systems are outside the user’s control and thus cannot be trusted with password management. These systems may not be available when needed and may not be storing or transmitting passwords correctly. Externally, the systems may seem correct (https, etc.) but behind the scenes, no one really knows what’s going on, how the passwords are being transmitted, generated, stored, or who has access to them.

It’s pretty difficult to argue against these two points. Having felt uneasy for a while, I knew it was time to do something different. It was time to ditch LastPass.

I looked at a couple of different solutions: the one proposed by the author of the above quotations (too complex to set up), as well as one which looked promising, but now seems to be unsupported. In the end, I decided upon LessPass, which has been recommended to me by a few people this year.

All of this happens in the browser, without your data being transmitted anywhere else.

Basically, you enter the following:

Name of the site or thing for which you need a password

Your username

A secret passphrase

…and, from these three pieces of information, LessPass generates a password that you can then copy using complex algorithms and entropy stuff that I don’t understand.

The fact that I don’t understand it is fine, because there are people who do, and the code is Open Source. It can be inspected for bugs and vulnerabilities — unlike the proprietary solution provided by LastPass.

The options button to the bottom-right of the LessPass window gives the user advanced options such as:

Length of password

Types of character to include in the password

Increment number (if you’re forced to rotate passwords regularly)

My favourite LessPass feature, though, solves a nagging problem I’ve had for ages. If you have a long passphrase, then sometimes it can be very easy to mistype it. You don’t want to reveal your obfuscated passphrase to the world, so how can you be sure that you’ve typed it correctly?

Simple! LessPass adds an emoji triplet to the right of the secret passphrase box. You’ll notice that changes as you type and, when you finish, it should always look the same. If it doesn’t, then you’ve mistyped your passphrase.

I’ll be making the transition from LastPass to LessPass over the next few weeks. It’s not as simple as just exporting from one database into another, as the whole point of doing this is that there is no one place that someone can hoover up my passwords.

So my plan of action is:

Every time I use a service, create a new password using LessPass.

Delete existing password in LastPass.

Rinse and repeat until most of my passwords are generated via LessPass.

26 Comments

Marc

If one is able to get hands on my master password, they don’t need to have access to my password storage file, to be able to “calculate” all other passwords. That risk doesn’t exists with the “normal” online password managers, like LastPass, that often offer 2FA as an extra layer. Also it’s safer to use a different username for every website. Where do you store them now? And what about notes, like security codes (2FA) and questions?

Mathew

As a member of staff of LastPass, as someone who had hacked their systems, or as a government official with a warrant? Go into ‘settings’ and uncheck 2FA (you only have to enter the LastPass Master password – not a 2FA passcode – to be able to do this)

Tim

“Remote systems are outside the user’s control”. – a feature and a benefit. Security in the hands of security professionals because they…well…use ” complex algorithms and entropy stuff that [you] don’t understand”

The only time that a profile is kept in LocalStorage is when there’s a special configuration required by a website. I haven’t run across that yet.

In terms of regaining access to a service, I’ve recently had this issue with Kraken (the cryptocurrency exchange). It took a few days to sort things out with customer service, but I’d rather that then have all of my passwords available on-tap.

Nick

This is perfect for creating a really secure master password for LastPass 🙂

Now even though this is quite neat, it is not exactly a replacement for LastPass for a few reasons :
First you have to type stuff every time and remember login names, even remember sites…

You cannot have other stuff like credit card info etc saved securely.

If you need to share or manage passwords of others its going to become impossible.

However it is indeed ideal for what it does and for specific occasions…. Like for generating a super neat LastPass master password.

Obviously nothing can replace the cloud based solutions and maintain their convenience at the same time. But just for the sake of arguing I would say that the solution is not to abandon cloud based stuff but rather ensure that they get satisfyingly secure.

John

I’m committed to 1Password, using the local version. The extensions for browsers, and other intergrations work quite nicely. 1Password is a secure store for much of my private information, which it can fill in as appropriate. Examples include drivers license number, credit card, images of passports, wifi passwords, etc.

For those who travel, 1Password has the ability (which I haven’t used) to remove all traces of passwords for selected accounts from ones devices. On arrival, these passwords can be restored. Thus border personnel have no indication of your accounts.

Just a note: The algorithmic password generator shown above is no better than a robust random password generator.

James

How did you find the transition? My current vault has over 700 accounts. I suspect I can trim that a fair bit, but did you find this a difficult process? How long did it take you to move everything, or at least enough for you to ditch Lastpass?

Hi James, thanks for the follow-up question! Yes, I’m still using LessPass and it’s working well.

I gave myself a few months to make the transition but about 80% of it was done in a few weeks. Every time I logged in to a service or platform, I reset my password and deleted the LastPass version.

I’ve had three minor problems:

1. Some sites, notably for airlines, don’t accept the full range of characters that LessPass uses. I therefore have to remember to turn off non-alphanumeric characters when generating passwords for those sites.

2. I share passwords with my wife for some things. For these I’ve either found a different way to share or given her the new LessPass-generated password.

3. The LessPass extension for Firefox has been behaving strangely, but the Chrome one is fine (and I can always use the LessPass website in a pinch)

Overall, I’ve been very happy and would recommend LessPass to most people.

Jaehyun

Hi Doug. Thanks for the awesome article. I’ve read it about a year ago and now I’m trying to switch to LessPass from LastPass. Since I’m a software engineer, I understood how it works immediately.

The issue you have with some airline companies that you have to remember the password option can be solved using the database which can be synced in cloud. The difference is that this cloud database doesn’t store the passwords, it stores site name, username and password options.

There’s a problem that makes me feel uncomfortable. Your quoted article says that master password is a weak point for the cloud based solutions. But master password is more critical weak point for LessPass, because all passwords can be generated from the master password and some easy-to-get/guess metadata.